Disclaimer:
Although the backdoor vulnerability is quite a serious matter, we
have published an accompanying blog post to this technical advisory
which sheds a more funny light on this topic. Visit our blog at
http://blog.sec-consult.com/2016/01/deliberately-hidden-backdoor-account
-in.html
for more information.

Vendor description:
-------------------
"AMXÂ® (www.amx.com) is part of the HARMAN Professional Division, and the
leading brand for the business, education, and government markets for the
company. As such, AMX is dedicated to integrating AV solutions for an IT World.
AMX solves the complexity of managing technology with reliable, consistent and
scalable systems comprising control and automation, system-wide switching and
AV signal distribution, digital signage and technology management. AMX systems
are deployed worldwide in conference rooms, homes, classrooms, network
operation/command centers, hotels, entertainment venues and broadcast
facilities, among others."

Source: http://www.amx.com/automate/aboutamx.aspx

Business recommendation:
------------------------
Attackers are able to completely compromise the affected devices as they can
gain higher privileges than even administrative access to the system via the
backdoor.

It is highly recommended by SEC Consult not to use these products until a
thorough security review has been performed by security professionals and all
identified issues have been resolved.

Vulnerability overview/description:
-----------------------------------
1) Deliberately hidden backdoor account
While analysing the application binary /bin/bw, SEC Consult discovered a
function called "setUpSubtleUserAccount" which adds an administrative
account to the internal user database. This account can be used to log on to
the web interface as well as SSH.
Functions to retrieve a list of all users in the database were found to
deliberately hide this user. Further, using this backdoor account grants
additional features on the remote-cli, such as a facility to capture packets
on the network interface which not even an administrator account can perform.

By decoding the strings which are loaded from memory and passed as arguments to
cSubtleUserPassword and cSubtleUserUserName, the following user and password
can be recovered:
user: BlackWidow
password: <removed from PoC>

Using these credentials a successful login has been performed to the web based
management interface, as well as the command line interface. Using this
backdoor account grants additional features on the command line interface, such
as capturing packets on the network interface.

Parts of the application which display a list of users are designed to
deliberately hide the backdoor account.

The backdoor did not get removed by AMX in their first patch, but the backdoor
username has only been changed to a DC superhero name.
The new username now was: 1MB@tMaN

The hotfix from 2016-01-15 is untested by SEC Consult and it is unknown
whether the backdoor has been removed properly now. Hence the password will
not be published.

Vulnerable / tested versions:
-----------------------------
The following software versions of the AMX NX-1200 have been tested / verified
to be vulnerable:
v1.2.322
v1.3.100

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult